[23.04 FEAT] openCryptoki: p11sak support Dilithium and Kyber keys

------- Comment From <email address hidden> 2023-02-07 11:45 EDT-------
This feature will also be part of the upcoming new openCryptoki v3.20 which will be available in time for lunar FF

That's perfect for us - thx for the update!

------- Comment From <email address hidden> 2023-02-13 03:55 EDT-------
openCryptoki version 3.20.0 is now available at
https://github.com/opencryptoki/opencryptoki/releases/tag/v3.20.0

This bug was fixed in the package opencryptoki - 3.20.0+dfsg-0ubuntu1

---------------
opencryptoki (3.20.0+dfsg-0ubuntu1) lunar; urgency=medium

  * New upstream release (LP: #2003847), includes support for:
    - ep11 token: master key consistency (LP: #2003629)
    - ica and soft tokens: PKCS #11 3.0 - support AES_XTS (LP: #2003630)
    - ep11 token: PKCS #11 3.0 - support AES_XTS (LP: #2003632)
    - Support of ep11 token for new IBM Z Hardware (IBM z16) (LP: #2003635)
    - ep11 token: vendor specific key derivation (LP: #2003638)
    - key gen. with expected MKVP only on CCA and EP11 tokens (LP: #2003639)
    - p11sak support Dilithium and Kyber keys (LP: #2003669)
  * Remove patch
    d/p/lp-1982842-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch
    since it's included in 3.19 and newer.
  * Remove patch
    d/p/lp-1989558-common-fix-memory-leak-in-save_private_token_object.patch
    since it's included in 3.19 and newer.
  * Adjust patch d/p/01-disable-testcases.patch due to minor change in context.
  * Refresh patch d/p/03-dlopen-soname.patch to fix 'fuzz'.
  * Modified patch
    d/p/lp-1982842-move-pkcs11-group-assigment-from-makefile-to-postinst.patch
    due to change in context, refresh it to fix 'fuzz' and remove addgroup
    from Makefile.am, since this is handled in d/opencryptoki.postinst.
  * Add opencryptoki.pc to d/libopencryptoki-dev.install.
  * Add new config file ccatok.conf to d/opencryptoki.install.s390x.
  * Consolidate multiple /etc/opencryptoki/*.conf entries in
    d/opencryptoki.install to one line and make it more generic.
  * Migrate in d/rules from 'dh_install --fail-missing --sourcedir=debian/tmp'
    to 'dh_install --sourcedir=debian/tmp' and 'dh_missing --fail-missing'.
  * Update 'Standards-Version' field in d/control to latest version 4.6.1.0.
  * Expand the copyright year range in d/copyright relfecting the latest code.

 -- Frank Heimes <email address hidden> Mon, 13 Feb 2023 10:10:45 +0100

------- Comment From <email address hidden> 2023-05-08 08:12 EDT-------
I am about to verify this feature, but noticed the following:

When no 'libopencryptoki-dev' is installed p11sak does not find the libopencryptoki.so:

# p11sak gen ibm-dilithium r3_87 --label kyber --slot 4
Error: failed to open pkcs11 lib 'libopencryptoki.so'

However, 'libopencryptoki.so' is available in '/usr/lib/s390x-linux-gnu/pkcs11/'

By setting environment variable PKCSLIB to '/usr/lib/s390x-linux-gnu/pkcs11/libopencryptoki.so', it works.

Also, after installing the 'libopencryptoki-dev' package, p11sak finds it right away (without setting PKCSLIB), and 'libopencryptoki.so' is available in :

/usr/lib/s390x-linux-gnu/pkcs11/libopencryptoki.so
/usr/lib/s390x-linux-gnu/libopencryptoki.so
/usr/lib/s390x-linux-gnu/opencryptoki/libopencryptoki.so

I don't think that this is as it should be. One should be able to use p11sak without having to install the dev package. Seems to something is wrong with library search path. p11sak does a dlopen() on 'libopencryptoki.so'. PKCS#11 applications will probably also do so and will thus also fail, unless they specify the full path of libopencryptoki.so of set the library search path correctly.

'make install' updates /etc/ld.so.conf.d and adds a 'opencryptoki-$(target_cpu).conf' file that contains the pkcs11 and opencryptoki directories. Maybe this is missing during package install?

@Frank: can you please comment ?

Hi Ingo, sorry for the delay, still catching up on a lot of topics.
You are absolutely right opencryptoki and libopencryptoki0 must be enough - -dev is only for headers and other development purposes.
If I could see it correctly there was a little issue in the link generation of the .so files (and all it's versions).

I've created a "3.20.0+dfsg-0ubuntu3" package set that is available here: https://launchpad.net/~fheimes/+archive/ubuntu/test
that package generates the in my opinion missing link:
./usr/lib/s390x-linux-gnu/opencryptoki/libopencryptoki.so -> libopencryptoki.so.0.0.0
Would you mind giving it a quick try?

------- Comment From <email address hidden> 2023-05-25 02:38 EDT-------
Hi Frank,

it got somewhat better, but still not successful.

With 3.20.0+dfsg-0ubuntu3 we now have those libraries (without installing the -dev package):

# find / -name libopencryptoki.so
/usr/lib/s390x-linux-gnu/pkcs11/libopencryptoki.so
/usr/lib/s390x-linux-gnu/opencryptoki/libopencryptoki.so

That's OK, but those directories are still not in the library search path, so a dlopen with libopencryptoki.so will still not find it:

# p11sak list-key all --slot 1 --pin <pin>
Error: failed to open pkcs11 lib 'libopencryptoki.so'

You are still missing to add the 'opencryptoki-$(target_cpu).conf' file into '/etc/ld.so.conf.d/'.

That file is installed via 'make install' and should also be installed by libopencryptoki0. It contains lines like this:

/usr/lib/s390x-linux-gnu/opencryptoki
/usr/lib/s390x-linux-gnu/opencryptoki/stdll

And will tell the dynamic linker to add those directories to the cache. That way a dlopen will also look in these directories, and thus will file /usr/lib/s390x-linux-gnu/opencryptoki/libopencryptoki.so. See 'man ldconfig' for details about this.

Alternatively, you must also install '/usr/lib/s390x-linux-gnu/libopencryptoki.so' (not the path, no subdirectory under /usr/lib/s390x-linux-gnu/), /usr/lib/s390x-linux-gnu/ seems to be in the default library search path.

Hmm, the situation was a bit weird, with all the different shared object files and their various links in the opencryptoki packages.
I have to correct myself a bit, the libopencryptoki0 package should only have numbered so (ref. the ABI), and libopencryptoki-dev had the so w/o number, but just as indicator and hint for the linker.
There should usually no so w/o number in the opencryptoki or libopencryptoki0 (according to the Debian Policy).

So the opencryptoki-$(target_cpu).conf' file is an approach to address this.
Interestingly, all files in etc/ld.so.conf.d generated by make were explicitly removed (in debian/rules) before the installation.
And that has been already for a long time.
Means so far everyone (incl. me) has probably used the PKCSLIB environment variable.

While spending some time on this package I guess I've found a way to avoid the need of installing the -dev package.
I reactivated the conf, set it accordingly, changed some of the .install and -link files - and did some update on the package on top (to compact 13).

I tried it out on one of my systems and it seems to work:

ubuntu@hwe0009:~$ p11sak list-key all --slot 1
-bash: /usr/sbin/p11sak: No such file or directory
ubuntu@hwe0009:~$ sudo apt install ./opencryptoki_3.20.0+dfsg-0ubuntu1.1_s390x.deb ./libopencryptoki0_3.20.0+dfsg-0ubuntu1.1_s390x.deb
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'opencryptoki' instead of './opencryptoki_3.20.0+dfsg-0ubuntu1.1_s390x.deb'
Note, selecting 'libopencryptoki0' instead of './libopencryptoki0_3.20.0+dfsg-0ubuntu1.1_s390x.deb'
The following NEW packages will be installed:
  libopencryptoki0 opencryptoki
0 upgraded, 2 newly installed, 0 to remove and 2 not upgraded.
Need to get 0 B/992 kB of archives.
After this operation, 4,173 kB of additional disk space will be used.
Get:1 /home/ubuntu/libopencryptoki0_3.20.0+dfsg-0ubuntu1.1_s390x.deb libopencryptoki0 s390x 3.20.0+dfsg-0ubuntu1.1 [819 kB]
Get:2 /home/ubuntu/opencryptoki_3.20.0+dfsg-0ubuntu1.1_s390x.deb opencryptoki s390x 3.20.0+dfsg-0ubuntu1.1 [174 kB]
Selecting previously unselected package libopencryptoki0:s390x.
(Reading database ... 166368 files and directories currently installed.)
Preparing to unpack .../libopencryptoki0_3.20.0+dfsg-0ubuntu1.1_s390x.deb ...
Unpacking libopencryptoki0:s390x (3.20.0+dfsg-0ubuntu1.1) ...
Selecting previously unselected package opencryptoki.
Preparing to unpack .../opencryptoki_3.20.0+dfsg-0ubuntu1.1_s390x.deb ...
Unpacking opencryptoki (3.20.0+dfsg-0ubuntu1.1) ...
Setting up libopencryptoki0:s390x (3.20.0+dfsg-0ubuntu1.1) ...
Setting up opencryptoki (3.20.0+dfsg-0ubuntu1.1) ...
addgroup: The group `pkcs11' already exists as a system group. Exiting.
adduser: The user `root' is already a member of `pkcs11'.
Created symlink /etc/systemd/system/multi-user.target.wants/pkcsslotd.service → /lib/systemd/system/pkcsslotd.service.
Processing triggers for man-db (2.11.2-1) ...
Processing triggers for libc-bin (2.37-0ubuntu2) ...
Scanning processes...
Scanning processor m...

That's the new LP bug, where the issue mentioned in comment #5 to #8 will be addressed:
LP#2022088

------- Comment From <email address hidden> 2023-06-02 03:17 EDT-------
Thanks for the update. Let me know when you have a new package for me to test.

Thanks for you patience - the new package(s) are already there, via LP#2022088
and then https://launchpad.net/~fheimes/+archive/ubuntu/lp2022088
(I've did the modification for all releases down to focal / 20.04.)

------- Comment From <email address hidden> 2023-06-02 04:10 EDT-------
Looks good now!

I installed libopencryptoki0_3.20.0+dfsg-0ubuntu2_s390x.deb and opencryptoki_3.20.0+dfsg-0ubuntu2_s390x.deb manually on 23.04 and now p11sak finds libopencryptoki.so.

BTW: adding the PPA via add-apt-repository failed:
# sudo add-apt-repository ppa:fheimes/lp2022088
....
Err:6 https://ppa.launchpadcontent.net/fheimes/test/ubuntu lunar InRelease
403 Forbidden [IP: 185.125.190.52 443]

Nevermind, installing the packages manually via dpkg -i worked.

Many thanks for re-testing, Ingo!

Adding the PPA works for me:
$ sudo add-apt-repository ppa:fheimes/lp2022088
Repository: 'deb https://ppa.launchpadcontent.net/fheimes/lp2022088/ubuntu/ lunar main'
Description:
lp2022088
More info: https://launchpad.net/~fheimes/+archive/ubuntu/lp2022088
Adding repository.
Press [ENTER] to continue or Ctrl-c to cancel.
Adding deb entry to /etc/apt/sources.list.d/fheimes-ubuntu-lp2022088-lunar.list
Adding disabled deb-src entry to /etc/apt/sources.list.d/fheimes-ubuntu-lp2022088-lunar.list
Adding key to /etc/apt/trusted.gpg.d/fheimes-ubuntu-lp2022088.gpg with fingerprint 73E9E91F16C43C45C621AE3EDF0A28DEFAFEB468
Hit:1 http://ports.ubuntu.com/ubuntu-ports lunar InRelease
Get:2 http://ports.ubuntu.com/ubuntu-ports lunar-updates InRelease [109 kB]
Hit:3 https://ppa.launchpadcontent.net/arighi/s390x-test/ubuntu lunar InRelease
Get:4 http://ports.ubuntu.com/ubuntu-ports lunar-backports InRelease [99.8 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports lunar-security InRelease [109 kB]
Hit:6 https://ppa.launchpadcontent.net/canonical-kernel-team/bootstrap/ubuntu lunar InRelease
Get:7 http://ports.ubuntu.com/ubuntu-ports lunar-updates/main s390x Packages [118 kB]
Get:8 http://ports.ubuntu.com/ubuntu-ports lunar-updates/universe s390x Packages [57.8 kB]
Get:9 https://ppa.launchpadcontent.net/fheimes/lp2022088/ubuntu lunar InRelease [18.0 kB]
Get:10 https://ppa.launchpadcontent.net/fheimes/lp2022088/ubuntu lunar/main s390x Packages [912 B]
Get:11 https://ppa.launchpadcontent.net/fheimes/lp2022088/ubuntu lunar/main Translation-en [468 B]
Fetched 512 kB in 2s (278 kB/s)
Reading package lists... Done

Proxy / firewall?

------- Comment From <email address hidden> 2023-06-02 05:12 EDT-------
Well, "403 Forbidden" sounds more like a permission problem to access the web page.... maybe its only available inside Ubuntu ?
Anyway, not a real problem for me now.

------- Comment From <email address hidden> 2023-06-02 05:17 EDT-------
Frank, did you also see IBM BZ 202533 / LP 2018908 "[UBUNTU 23.04] opencryptoki 3.20.0: strength.conf has wrong mode" ?
This might be something that you also want to fix while you are at it.

------- Comment From <email address hidden> 2023-06-02 05:18 EDT-------
And a similar one for 22.04: BZ 202380 / LP 2018911: "[UBUNTU 22.04] opencryptoki 3.17.0 is missing the strength.conf config file"

Oh no, I haven't noticed these.
Maybe because they are not assigned to the right package.
Anyway, I can change this and will have a look (I think that I added the strength file already with my last modification, but let me double check, and have a look at the mode ...)
Thanks for pointing me to these!

------- Comment From <email address hidden> 2023-10-12 07:20 EDT-------
Hi,
I am trying to install the libopencryptoki0_3.20.0+dfsg-0ubuntu2_s390x.deb but I cannot find the repository providing said package for ubuntu 23.04.
Could you please help me out with this? Thanks

I think "libopencryptoki0_3.20.0+dfsg-0ubuntu2_s390x.deb" was only the PPA version.
The regular archive versions may have slightly different version, and I think that is the case here:
rmadison says that the latest version in lunar/23.04 is "3.20.0+dfsg-0ubuntu1.1":
$ rmadison --arch=s390x opencryptoki | grep lunar
 opencryptoki | 3.20.0+dfsg-0ubuntu1 | lunar/universe | s390x
 opencryptoki | 3.20.0+dfsg-0ubuntu1.1 | lunar-updates/universe | s390x
And the corresponding changelog (https://launchpad.net/ubuntu/+source/opencryptoki/+changelog) says:
"
opencryptoki (3.20.0+dfsg-0ubuntu1.1) lunar; urgency=medium

  * Add d/p/lp-2022088-fix-p11sak-failure-to-find-libopencryptoki.so.patch
    to fix the failure that p11sak is not able to find libopencryptoki as
    plugin, by adjusting 'default_pkcs11lib'. (LP: #2022088)
  * d/opencryptoki.install: install full set of etc/opencryptoki build
    folder to esp. catch all generated conf files and on top make the arch-
    specific file 'opencryptoki.install.s390x' obsolete. (LP: #2018911)
  * d/opencryptoki.postinst: change strength.conf file permissions to 640
    which is checked/forced by the opencryptoki code. (LP: #2018908)
"
So the bug LP#2003669 is fixed in "3.20.0+dfsg-0ubuntu1.1".

Means if you have a 23.04 system,
just update the package index:
sudo apt update
and update the entire system to the latest level (sudo apt full-upgrade) or selectively only the opencryptoki package(s) (sudo apt install libopencryptoki0).

Btw. the following will give you (after apt update) a picture about whats available to install and what is currently installed):
apt-cache policy opencryptoki libopencryptoki0 libopencryptoki-dev